Archive for August, 2012

I recently watched a presentation that rel1k gave at bSides Cleveland 2012, in which he revealed some of his top secret antivirus bypass techniques. He quickly explained and demonstrated Binary Droppers, Shellcodeexec, Powershell injection, modifying Metasploit payload templates, and PE crypters. This last one caught my attention, as I hadn’t heard of it before. The PE crypter that he demonstrated is called Hyperion, by nullsecurity. It works somewhat like a PE Packer, but instead of scrambling the payload and encapsulating it with explicit instructions on how to descramble it, the payload is encrypted and encapsulated with a weak 128-bit AES key, which is simply brute forced at the time of execution. Let’s try it out. Only the source files are made available, so we’ll have to compile it ourselves. Luckily, BackTrack provides the tools need to cross-compile executables.

You’ll notice that I didn’t upload this to VirusTotal to see how many anti-virus vendors detect our payload as malicious. It’s pretty well known now that this is one place anti-virus vendors go to find new payloads that they need to create signatures for detection. So, your best option for testing custom payloads is to simply install the version of anti-virus that you are trying to bypass.

Also, as rel1k stated in his presentation, the stub used to encapsulate the payload is static, so anti-virus vendors could easily create a signature for these payloads. He suggests modifying the source so that it is polymorphic. Alas, I have no idea how to do that right now, so maybe we will cover that in later post. Happy Crypting!